One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 8334939 |
| Date de publication | 2023-05-09 20:02:00 (vue: 2023-05-09 20:07:14) |
| Titre | Anomali Cyber Watch: l'environnement virtuel personnalisé cache Fluorshe Anomali Cyber Watch: Custom Virtual Environment Hides FluHorse, BabyShark Evolved into ReconShark, Fleckpe-Infected Apps Add Expensive Subscriptions |
| Texte |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Defense evasion, Infostealers, North Korea, Spearphishing, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution
(published: May 5, 2023)
McAfee researchers have detected a multi-stage attack that starts with a trojanized wextract.exe, Windows executable used to extract files from a cabinet (CAB) file. It was used to deliver the AgentTesla, Amadey botnet, LockBit ransomware, Redline Stealer, and other malicious binaries. To avoid detection, the attackers use obfuscation and disable Windows Defender through the registry thus stopping users from turning it back on through the Defender settings.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioral analysis defenses and social engineering training. Users should report suspicious files with double extensions such as .EXE.MUI. Indicators associated with this campaign are available in the Anomali platform and users are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1555 - Credentials From Password Stores | [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information
Tags: malware:Amadey, malware-type:Botnet, malware:RedLine, malware:AgentTesla, malware-type:Infostealer, malware:LockBit, malware-type:Ransomware, abused:Wextract.exe, file-type:CAB, file-type:EXE, file-type:MUI, target-program:Windows Defender, target-system:Windows
Eastern Asian Android Assault – FluHorse
(published: May 4, 2023)
Active since May 2022, a newly-detected Android stealer dubbed FluHorse spreads mimicking popular apps or as a fake dating application. According to Check Point researchers, FluHorse was targeting East Asia (Taiwan and Vietnam) while remaining undetected for months. This stealthiness is achieved by sticking to minimal functions while also relying on a custom virtual machine that comes with the Flutter user interface software development kit. FluHorse is being distributed via emails that prompt the recipient to install the app and once installed, it asks for the user’s credit card or banking data. If a second factor authentication is needed to commit banking fraud, FluHorse tells the user to wait for 10-15 minutes while intercepting codes by installing a listener for all incoming SMS messages.
Analyst Comment: FluHorse\'s ability to remain undetected for months makes it a dangerous threat. Users should avoid installing applications following download links received via email or other messaging. Verify the app authenticity on the official com |
| Envoyé | Oui |
| Condensat | pypi 000 001 001: 002 005 2012 2022 2023 620 Asia Att Autostart Boot Capture Chinese Country: Data Defenses Directory Discovery Eastern Evasion Execution Explained File Impair Information Input Instrumentation Language: Local Logon Management Mitre Process Query Reference Region: Registry System T1005: T1012: T1047 T1056 T1057 T1082 T1083 T1497 T1547 T1562: Taiwan Target Technique The Vietnam Virtualization/Sandbox Windows ability about abused:dart abused:flutter abused:google abused:onedrive abused:pypi abused:wextract abused:wmi access according achieve achieved activate activated active activity actor:kekw actor:kimsuki actors adapting add additional addresses advanced advised after agenttesla all also always amadey amadey’s amp; analysis analyst android androidos anomali anti app application applications apps apt archives are asia asian asks assault assets associated att&ck att&ck: attached attack attackers attempts authentication authenticity available avoid aware babyshark back bank banking basic been behalf behavioral being best binaries bitcoin block botnet broad browser browsers but cab cabinet campaign campaigns can capabilities capture capture: card cards carrier caution certain change channel charts check checks chollima ck: cleaned clipper close codes comes command comment: commit company compromised configuration confirmation contacts containing cookies country country:indonesia country:malaysia country:north country:poland country:singapore country:south country:thailand crafted credentials credit cryptocurrency custom customers cyber cyberespionage cyble dangerous data dating debugging deconstructing decrypts defender defense defenses deliver delivering deposits depth describe detect detected detection detection:stealer detection:trojan developers development device’s devices disable discovery discovery: discuss discussed distributed distribution document double download downloader dropper dubbed east easter eastern editing effective egg: eleven email emails encrypted end engineering ensure entities entry environment europe evasion evolved evolves exe executable execution execution: exercises exfiltration expensive extensions extra extract extracts factor fake family figure file files firm fleckpe fluhorse flutter focused following format fraud from functions gaming giving glimpse global google government group group’s groups gui had has have heavily help hides historical identified identify immediately impact include including incoming index indicators indonesia industry:banks industry:cryptocurrency infected infections information infostealer infostealers infrastructure ingress input install installed installing intelligence intercepting interface interpreter interpreter: invisible involved involving ioc iocs iteration its kaspersky kekw kimsuky kit known korea latest layer least libraries library likely link links listener loads lockbit logs ltd machine macros magazine make makes malaysia maldoc malicious malware malware:agenttesla malware:amadey malware:fleckpe malware:fluhorse malware:kekw malware:lockbit malware:reconshark malware:redline may mcafee messages messaging meticulously microsoft might mimicking minimal minutes mitre modify monitor months more most mui multi native needed network new newly news north not notifications number obfuscated obfuscation office official once ongoing opened operations other others over package packages page paid password passwords payload perform permissions persistence persistent phishing phishing: photo picus picus: platform play point poisoning poland popular potential process processes program:windows prompt protected protocol protocol: provide published: publishing pypi python quite ransomware received recipient reconnaissance reconshark redline reference registry regularly related relying remain remaining removed replace replaces report research researchers retail returns ridesharing risk robust rogue runs safety scripting second secure security security: sensitive sentinelone server settings should similar since sing |
| Tags | Malware Tool Threat |
| Stories | APT 37 APT 43 |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.